7 January 2002
Electronic Frontier Foundation Media Advisory
For Immediate Release: January 7, 2002
Contact:
Daniel Bernstein
Associate Professor
Department of Mathematics, Statistics, and Computer Science
University of Illinois at Chicago
press-20020107@cr.yp.to
+1 312 413-9322
Rich Winter
McBride Baker & Coles
winter@mbc.com
+1 312 715-5796
Govt. Censorship of Cryptography Research Unconstitutional
San Francisco - Professor Daniel J. Bernstein today renews his court battle against U.S. government obstructions to Internet security research.
Bernstein's court complaint, to be filed today by Rich Winter and Sarah Pace of the Chicago-based firm McBride Baker & Coles, challenges the constitutionality of the government's regulations on cryptography. Internet software uses cryptography to keep passwords and credit-card numbers safe from attackers.
"I'm trying to help protect computer systems against terrorists and other criminals," said Bernstein, who first filed legal action against the regulations as a Berkeley graduate student in 1995. "It's inexcusable that the government is continuing to interfere with my research in cryptography and computer security."
The U.S. government has imposed unilateral "national security" controls on encryption research and software for decades. Although strong cryptographic software has been available in Europe for many years, the U.S. government changed its cryptography regulations only two years ago in response to increased frustration by U.S. businesses and Professor Bernstein's successful legal case. However, current U.S. cryptography regulations are more complicated and obscure, restricting the flow of scientific information.
"The regulations require, for example, that whenever scientists disclose something new to a foreign colleague they simultaneously send it to the government," Winter said. "This makes in-person collaboration practically impossible."
Attorney Cindy Cohn of McGlashan and Sarrail led the case through a series of victories. In 1999, the Ninth Circuit Court of Appeals affirmed that earlier regulations violated the First Amendment. After the government changed the regulations in response, the appellate court sent the case back to the U.S. District Court. Cohn subsequently joined EFF as Legal Director and transferred the lead position on the case to McBride, Baker & Coles. The case will continue to challenge these regulations until they offer full protection for academic freedom and the Constitutional rights of researchers and programmers.
The government is scheduled to respond to Professor Bernstein's complaint by February 4, 2002, in the Federal District Court for the Northern District of California.
For the recent court complaint in the Bernstein case:
http://www.eff.org/bernstein/20020107_amended_complaint.html
For additional information about the Bernstein case:
http://www.eff.org/bernstein/
About McBride Baker & Coles:
McBride Baker & Coles is a dynamic, client-focused law firm helping businesses compete and grow in a technology-driven world. The firm provides legal services in nearly every area of the law to businesses, organizations, government entities, and individuals. The firm's website is at
http://www.mbc.com
-end-
For background here are the Export Administration Regulations (EAR) governing encryption exports.
Commerecial Encryption Export Controls
http://www.bxa.doc.gov/Encryption/Default.htm
Export Administration Regulations Web Sites
http://207.96.11.93/Regulations/Default.htm
Export Administration Regulations Database
http://w3.access.gpo.gov/bxa/ear/ear_data.html
______________________________________
Source: http://w3.access.gpo.gov/bxa/ear/txt/ccl5-pt2.txt
Category 5 (Part 2) - Information Security (last revised 4 January 2001)
Commerce Control List Supplement No. 1 to Part 774
Category 5 - Info. Security--page
Export Administration Regulations
CATEGORY 5 - TELECOMMUNICATIONS AND "INFORMATION SECURITY"
II. "Information Security"
Note 1: The control status of "information security"
equipment, "software", systems, application specific
"electronic assemblies", modules, integrated circuits,
components, or functions is determined in Category 5,
part 2 even if they are components or "electronic
assemblies" of other equipment.
Note 2: Category 5 - part 2 encryption products, when
accompanying their user for the user's personal use, are
eligible for License Exceptions TMP or BAG.
Note 3: Cryptography Note: ECCNs 5A002 and 5D002 do not
control items that meet all of the following:
a. Generally available to the public by being sold,
without restriction, from stock at retail selling points
by means of any of the following:
1. Over-the-counter transactions;
2. Mail order transactions;
3. Electronic transactions; or
4. Telephone call transactions;
b. The cryptographic functionality cannot be easily
changed by the user;
c. Designed for installation by the user without further
substantial support by the supplier;
d. Does not contain a "symmetric algorithm" employing a
key length exceeding 64-bits; and
e. When necessary, details of the items are accessible
and will be provided, upon request, to the appropriate
authority in the exporter's country in order to ascertain
compliance with conditions described in paragraphs (a)
through (d) of this note. See §742.15(b)(1) of the EAR.
A. SYSTEMS, EQUIPMENT AND COMPONENTS
5A002 Systems, equipment, application specific "electronic
assemblies", modules and integrated circuits for "information
security", and other specially designed components therefor.
License Requirements
Reason for Control: NS, AT, EI
Control(s) Country
Chart
NS applies to entire entry NS Column 1
AT applies to entire entry AT Column 1
EI applies to encryption items transferred from the U.S.
Munitions List to the Commerce Control List consistent with E.O.
13026 of November 15, 1996 (61 FR 58767) and pursuant to the
Presidential Memorandum of that date. Refer to §742.15 of this
subchapter.
License Exceptions
LVS: Yes: $500 for components and spare
parts only. N/A for equipment.
GBS: N/A
CIV: N/A
List of Items Controlled
Unit: $ value
Related Controls: See also 5A992. This
entry does not control:
(a) "Personalized smart cards" where
the cryptographic capability is restricted
for use in equipment or systems excluded
from control paragraphs (b) through (f) of
this note. Note that if a "personalized
smart card" has multiple functions, the
control status of each function is
assessed individually;
(b) Receiving equipment for radio
broadcast, pay television or similar
restricted audience broadcast of the
consumer type, without digital encryption
except that exclusively used for sending
the billing or program-related information
back to the broadcast providers; (c)
Portable or mobile radiotelephones for
civil use (e.g., for use with commercial
civil cellular radio communications
systems) that are not capable of
end-to-end encryption;
(d) Equipment where the cryptographic
capability is not user-accessible and
which is specially designed and limited to
allow any of the following:
(1) Execution of copy-protected
"software";
(2) access to any of the following:
(a) Copy-protected read-only media;
or
(b) Information stored in
encrypted form on media (e.g., in
connection with the protection of
intellectual property rights) where the
media is offered for sale in identical
sets to the public; or
(3) one-time encryption of copyright
protected audio/video data;
(e) Cryptographic equipment specially
designed and limited for banking use or
money transactions;
(f) Cordless telephone equipment not
capable of end-to-end encryption where the
maximum effective range of unboosted
cordless operation (e.g., a single,
unrelayed hop between terminal and home
basestation) is less than 400 meters
according to the manufacturer's
specifications.
These items are controlled under ECCN
5A992.
Related Definitions: (1) The term
"money transactions" in paragraph (e) of
Related Controls includes the collection
and settlement of fares or credit
functions. (2) For the control of global
navigation satellite systems receiving
equipment containing or employing decrypti
on (e.g., GPS or GLONASS) see 7A005.
Items:
Technical Note: Parity bits are not included in the key
length.
a. Systems, equipment, application specific "electronic
assemblies", modules and integrated circuits for "information
security", and other specially designed components therefor:
a.1. Designed or modified to use "cryptography"
employing digital techniques performing any cryptographic
function other than authentication or digital signature
having any of the following:
Technical Notes:
1. Authentication and digital signature functions
include their associated key management function.
2. Authentication includes all aspects of access control
where there is no encryption of files or text except as
directly related to the protection of passwords, Personal
Identification Numbers (PINs) or similar data to prevent
unauthorized access.
3. "Cryptography" does not include "fixed" data
compression or coding techniques.
Note: 5A002.a.1 includes equipment designed or modified
to use "cryptography" employing analog principles when
implemented with digital techniques.
a.1.a. A "symmetric algorithm" employing a key
length in excess of 56-bits; or
a.1.b. An "asymmetric algorithm" where the
security of the algorithm is based on any of the
following:
a.1.b.1. Factorization of integers in
excess of 512 bits (e.g., RSA);
a.1.b.2. Computation of discrete
logarithms in a multiplicative group of a
finite field of size greater than 512
bits (e.g., Diffie-Hellman over Z/pZ); or
a.1.b.3. Discrete logarithms in a group
other than mentioned in 5A002.a.1.b.2 in
excess of 112 bits (e.g., Diffie-Hellman
over an elliptic curve);
a.2. Designed or modified to perform cryptanalytic
functions;
a.3. [Reserved]
a.4. Specially designed or modified to reduce the
compromising emanations of information-bearing signals
beyond what is necessary for health, safety or
electromagnetic interference standards;
a.5. Designed or modified to use cryptographic
techniques to generate the spreading code for "spread
spectrum" systems, including the hopping code for
"frequency hopping" systems;
a.6. Designed or modified to provide certified or
certifiable "multilevel security" or user isolation at a
level exceeding Class B2 of the Trusted Computer System
Evaluation Criteria (TCSEC) or equivalent;
a.7. Communications cable systems designed or modified
using mechanical, electrical or electronic means to
detect surreptitious intrusion.
5A992 Equipment not controlled by 5A002.
License Requirements
Reason for Control: AT
Control(s) Country
Chart
AT applies to 5A992.a AT Column 1
AT applies to 5A992.b AT Column 2
License Exceptions
LVS: N/A
GBS: N/A
CIV: N/A
List of Items Controlled
Unit: $ value
Related Controls: N/A
Related Definitions: N/A
Items:
a. Telecommunications and other information security equipment
containing encryption.
b. "Information security" equipment, n.e.s., (e.g.,
cryptographic, cryptanalytic, and cryptologic equipment, n.e.s.)
and components therefor.
B. TEST, INSPECTION AND PRODUCTION EQUIPMENT
5B002 Information Security - test, inspection and "production"
equipment.
License Requirements
Reason for Control: NS, AT
Control(s) Country
Chart
NS applies to entire entry NS Column 1
AT applies to entire entry AT Column 1
License Requirement Notes: See §743.1 of the EAR for
reporting requirements for exports under License
Exceptions.
License Exceptions
LVS: N/A
GBS: N/A
CIV: N/A
List of Items Controlled
Unit: $ value
Related Controls: N/A
Related Definitions: N/A
Items:
a. Equipment specially designed for:
a.1. The "development" of equipment or functions
controlled by 5A002, 5B002, 5D002 or 5E002, including
measuring or test equipment;
a.2. The "production" of equipment or functions
controlled by 5A002, 5B002, 5D002, or 5E002, including
measuring, test, repair or production equipment;
b. Measuring equipment specially designed to evaluate and
validate the "information security" functions controlled by 5A002
or 5D002.
C. Materials [Reserved]
D. Software
5D002 Information Security - "Software".
License Requirements
Reason for Control: NS, AT, EI
Control(s) Country
Chart
NS applies to entire entry NS Column 1
AT applies to entire entry AT Column 1
EI applies to encryption items transferred from the U.S.
Munitions List to the Commerce Control List consistent with E.O.
13026 of November 15, 1996 (61 FR 58767) and pursuant to the
Presidential Memorandum of that date. Refer to §742.15 of the
EAR.
Note: Encryption software is
controlled because of its functional
capacity, and not because of any
informational value of such software; such
software is not accorded the same
treatment under the EAR as other
"software"; and for export licensing
purposes, encryption software is treated
under the EAR in the same manner as a
commodity included in ECCN 5A002.
Note: Encryption software controlled
for "EI" reasons under this entry remains
subject to the EAR even when made publicly
available in accordance with part 734 of
the EAR. See §§740.13(e) and 740.17(5)(i)
of the EAR for information on releasing
certain source code which may be
considered publicly available from "EI"
controls.
Note: After a technical review,
56-bit items, key management products not
exceeding 512 bits and mass market
encryption commodities and software
eligible for the Cryptography Note (see
§742.15(b)(1) of the EAR) may be released
from "EI" and "NS" controls.
License Exceptions
CIV: N/A
TSR: N/A
List of Items Controlled
Unit: $ value
Related Controls: See also 5D992. This
entry does not control "software"
"required" for the "use" of equipment
excluded from control under to 5A002 or
"software" providing any of the functions
of equipment excluded from control under
5A002.
Related Definitions: 5D002.a controls
"software" designed or modified to use
"cryptography" employing digital or analog
techniques to ensure "information
security".
Items:
a. "Software" specially designed or modified for the
"development", "production" or "use" of equipment or "software"
controlled by 5A002, 5B002 or 5D002.
b. "Software" specially designed or modified to support
"technology" controlled by 5E002.
c. Specific "software" as follows:
c.1. "Software" having the characteristics, or
performing or simulating the functions of the equipment
controlled by 5A002 or 5B002;
c.2. "Software" to certify "software" controlled by
5D002.c.1.
5D992 "Information Security" "software" not controlled by 5D002.
License Requirements
Reason for Control: AT
Control(s) Country
Chart
AT applies to 5D992.a.1 AT Column 1
and .b.1
AT applies to 5D992.a.2, AT Column 2
b.2 and c
License Exceptions
CIV: N/A
TSR: N/A
List of Items Controlled
Unit: $ value
Related Controls: N/A
Related Definitions: N/A
Items:
a. "Software", as follows:
a.1 "Software" specially designed or modified for the
"development", "production", or "use" of
telecommunications and other information security
equipment containing encryption (e.g., equipment
controlled by 5A992.a);
a.2. "Software" specially designed or modified for the
"development", "production:, or "use" of information
security or cryptologic equipment (e.g., equipment
controlled by 5A992.b).
b. "Software", as follows:
b.1. "Software" having the characteristics, or
performing or simulating the functions of the equipment
controlled by 5A992.a.
b.2. "Software having the characteristics, or performing
or simulating the functions of the equipment controlled
by 5A992.b.
c. "Software" designed or modified to protect against malicious
computer damage, e.g., viruses.
E. TECHNOLOGY
5E002 "Technology" according to the General Technology Note for
the "development", "production" or "use" of equipment controlled
by 5A002 or 5B002 or "software" controlled by 5D002.
License Requirements
Reason for Control: NS, AT, EI
Control(s) Country
Chart
NS applies to entire entry NS Column 1
AT applies to entire entry AT Column 1
EI applies to encryption items transferred from the U.S.
Munitions List to the Commerce Control List consistent with E.O.
13026 of November 15, 1996 (61 FR 58767) and pursuant to the
Presidential Memorandum of that date. Refer to §742.15 of the
EAR.
License Requirement Notes: See §743.1 of the EAR for
reporting requirements for exports under License
Exceptions.
License Exceptions
CIV: N/A
TSR: N/A
List of Items Controlled
Unit: N/A
Related Controls: See also 5E992
Related Definitions: N/A
Items:
The list of items controlled is contained in the ECCN heading.
5E992 "Information Security" "technology", not controlled by
5E002.
License Requirements
Reason for Control: AT
Control(s) Country
Chart
AT applies to 5E992.a AT Column 1
AT applies to 5E992.b AT Column 2
License Exceptions
CIV: N/A
TSR: N/A
List of Items Controlled
Unit: N/A
Related Controls: N/A
Related Definitions: N/A
Items:
a. "Technology" n.e.s., for the "development", "production" or
"use" of telecommunications equipment and other information
security and containing encryption (e.g., equipment controlled by
5A992.a) or "software" controlled by 5D992.a.1 or b.1.
b. "Technology", n.e.s., for the "development", "production" or
"use" of "information security" or cryptologic equipment (e.g.,
equipment controlled by 5A992.b), or "software" controlled by
5D992.a.2, b.2, or c.
EAR99 Items subject to the EAR that are not elsewhere specified
in this CCL Category or in any other category in the CCL are
designated by the number EAR99.